hMailServer script to anonymise internal IP addresses

We all know that (accidentally) exposing private information to all and sundry is a bad thing; information leaked in SMTP Received: headers is a goldmine for pentesters and blackhats alike. Here’s a little script for hMailServer which will anonymise the names and IP addresses of internal SMTP mail clients that would otherwise be placed into a Received: header.

The script might need some tweaking to suit your environment:

It will anonymise Received: headers only when the connecting client’s IP address starts with 172.16. Alter this check to suit your own environment

You’ll need to change mail.example.com to whatever hMailServer’s Local host name is set to (under Settings->Protocols->SMTP->Delivery of e-mail)

hMailServer scripts are by default written in VBScript; I’ve had extensive counselling to get over the experience, and I’m fine now.

Tweak the script below, then add it to EventHandlers.vbs. Take care if you already have a handler defined for OnAcceptMessage:

‘ Strips out private IP addresses from Received header
‘ if the client’s IP address is in 172.16.0.0/16
Sub OnAcceptMessage(oClient, oMessage)

‘ Check client’s IP address – we only want to do this work
‘ for internal clients
If Left( oClient.IPAddress, 7 ) = “172.16.” Then

Dim oHeaders
set oHeaders = oMessage.Headers

‘ Iterate over the headers looking for Received:
Dim i
For i = oHeaders.Count -1 To 0 Step -1

Dim oHeader
Set oHeader = oHeaders.Item(i)

‘ Check if this is a header which we should modify.
If LCase(oHeader.Name) = “received” Then

‘ Log the header value in case we need it later on
EventLog.Write(“Pre-anonymisation: ” + oHeader.Value)

…thereby neatly hiding the fact that there is an internal machine called some-machine at IP address 172.16.28.16. The original header is logged to hMailServer’s EventLog file in case it’s needed later on for debugging, or during Incident Response or other forensic activity.

The script doesn’t actually alter any of the IP addresses used in handling the message, it just masks information in Received: headers.

That said, there’s no reason why you couldn’t alter the script to make use of some kind of counter (stored in a file? or the registry? I don’t know if hMail scripts have the concept of a global variable…?). When the counter ticks past certain values, you could change what the call to myRegExp.Replace() does to alter the string inserted into the Received: header.

I’ve looked around trying to understand this script to make it work but I’ve been unable to make it run… I’m on a 192.168.1.0/24 test network. I have replaced
If Left( oClient.IPAddress, 7 ) = “172.16.” Then
with:
If Left( oClient.IPAddress, 8 ) = “192.168.” Then
But in mail headers I still see the internal IP address from where it was sent:
Received: from [192.168.1.207] (domain.com [ex.ter.nal.ip])

I tried adding it before, after and below and nothing shows up in the log. I’m also new to hMailserver so I don’t know all the nuances of it. I really would like to figure out where I went wrong so that I can put this into production. Thank You

I am not sure why people find out solutions and never post them. Could someone please let me know what I need to do to change this to a 192.168.1.0/24 network. I tried changing left , 10 and value to 192.168.1. .